ReadWEBPImage in coders/webp.c in ImageMagick 7.0.6-5 has a issue where memory allocation is excessive because it depends only on a length field in a header. CVE Details:(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14137) Upstream Source:(https://github.com/ImageMagick/ImageMagick/issues/641) - We can reproduce it and will have a patch to fix it in GIT master branch Patch 2/2 for #641: commit cb63560ba25e4a6c51ab282538c24877fff7d471 commit cfc2bd4c87481d4cf60308cc6ffd3c61288ff004 Remarks for #641:"The fix breaks reading all WebP images. See lines 266 - 269" ImageMagick 7.0.6-5 has a memory leak vulnerability in ReadWEBPImage in coders/webp.c because memory is not freed in certain error cases, as demonstrated by VP8 errors. CVE Details:(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14138) Upstream Source:(https://github.com/ImageMagick/ImageMagick/issues/639) -We can reproduce it and will have a patch to fix it in GIT master branch Patch 4/4 for #639: commit 13f4cbc6ed5e01a78d179f5be0032ed560adfb1a commit 5ea1396db9b6a85a11a65daa99d267517f3cbdcd Cristy committed Aug 1, 2017 commit def00c720dffb57a821bd8acd77eac7b10a0568b commit 06ccb0ccdcca8219862a05c5589329903473235f ImageMagick 7.0.6-2 has a memory leak vulnerability in WriteMSLImage in coders/msl.c. CVE Details:(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14139) Upstream Source:(https://github.com/ImageMagick/ImageMagick/issues/578) - We can reproduce it and will have a patch to fix it in GIT master branch Patch 2/2 for #578: commit 0dfce0579c881245e495aa2d8d114e63b96a860e commit d426a1dc84cfdafdac67bdb2a1ecc6e1798053e6 @maintainer(s), Patches available... Daj Uan (jmbailey/mbailey_j) Gentoo Security Padawan
CVE-2017-14139 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14139): ImageMagick 7.0.6-2 has a memory leak vulnerability in WriteMSLImage in coders/msl.c. CVE-2017-14138 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14138): ImageMagick 7.0.6-5 has a memory leak vulnerability in ReadWEBPImage in coders/webp.c because memory is not freed in certain error cases, as demonstrated by VP8 errors. CVE-2017-14137 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14137): ReadWEBPImage in coders/webp.c in ImageMagick 7.0.6-5 has an issue where memory allocation is excessive because it depends only on a length field in a header.
n repository since https://github.com/gentoo/gentoo/commit/e1658f8bb1511ac66fe7dc2a1d00cfae4be4f43a#diff-c3da9b5318c1a67d6927fb8032d46fe5
This issue was resolved and addressed in GLSA 201711-07 at https://security.gentoo.org/glsa/201711-07 by GLSA coordinator Aaron Bauman (b-man).